A Domain Name Server (DNS) Amplification Attack is a Distributed Denial of Service (DDoS) attack in which the attacker exploits vulnerabilities in publicly accessible DNS servers to turn initially small queries into much larger payloads, which are used to bring down the victim’s servers.
It begins by an attacker sending a DNS name lookup request to an open DNS server and the source address is spoofed as the target’s request. The DNS record response is sent to the target. In writing about it, US-CERT noted that, “the spoofed queries sent by the attacker are of the type, “ANY,” which returns all known information about a DNS zone in a single request. Because the size of the response is considerably larger than the request, the attacker is able to increase the amount of traffic directed at the victim.”
Normally, botnets are employed for anonymity and to produce a sizeable quantity of spoofed DNS queries so a huge amount of traffic can be generated with minimal effort. As the responses are coming from valid servers, it is very hard to prevent this type of attack.
That said, there are various mitigation strategies, including rate limiting, blocking specific DNS servers or all open recursive real servers, and tightening DNS security overall.
Various organizations offer free web-based scanning tools that search a network for vulnerable open DNS resolvers, including the Open DNS Resolver Project, The Measurement Factory and DNS Inspect. Reducing the number of servers that can be employed by attackers to generate huge volume can reduce the risk of a DNS amplification attack.
DNS Amplification is one of the most popular DDoS attack types. In March 2013, Spamhaus, a non-profit anti-spam organization, was the target of a then groundbreaking DDoS attack using DNS amplification. 300Gbps was thrown at Spamhaus’ website, knocking it offline for over a week. They hired CloudFlare to guard against the attcks who took the unusual step of dropping London as a hub in its network. Due to the anonymity of the attack, Spamhaus remains unaware of the source.
A blogpost written by CloudFlare at the time describes the mechanism of the attack and how it could be used to amplify packet floods. CloudFlare believes that 30,000 unique DNS resolvers were involved in the attack against Spamhaus. In reporting the CDN made clear that there were many DDoS attacks of this size happening elsewhere. The difference here was that Spamhaus was willing to let CloudFlare tell the story of the attack and how they mitigated it.